Follow Slashdot stories on Twitter


Forgot your password?
Operating Systems Security Software The Internet BSD

Firewall Failover With pfsync And CARP 60

Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."
This discussion has been archived. No new comments can be posted.

Firewall Failover With pfsync And CARP

Comments Filter:
  • That's really cool (Score:2, Informative)

    by Anonymous Coward
    I think my office implemented such functionality for like $120k, and it doesn't even work too well.
    • by hdw ( 564237 )
      Yup, we have something like that too.

      Except that our 50.000USD firewall solution fails to handle state sync (they've got problems enough with rules sync) and the the failover works so bad that the dudes that run it have failed over to manual fail over :)

      I've been _soo_ tempted to suggest to replace the all the gunk with OpenBSD, since it has all the stuff we need, and it works ...

      And it is a little bit cheaper. // hdw
  • HSRP (Score:4, Interesting)

    by bolix ( 201977 ) <> on Tuesday March 30, 2004 @10:30AM (#8713503) Homepage Journal
    I love sniffing the Cisco equivalent to CARP. Lots of HSRP calls to with no security built in. A simple ARP poison will fuck the switch. More advanced attack methods can be found c/o Phenolit []
  • I wonder... (Score:3, Interesting)

    by Yarn ( 75 ) on Tuesday March 30, 2004 @11:23AM (#8714065) Homepage
    What hardware would I need to do this on my 1000SX uplink. Admittedly, I've only peaked at 80Mbit/s so far, but I think even handling that will take some beefy hardware.
    • Re:I wonder... (Score:5, Informative)

      by dhartmei ( 664843 ) <> on Tuesday March 30, 2004 @03:18PM (#8717259) Homepage Journal
      Filtering ordinary traffic (not extreme test-cases of minimal packets, average number of packets/connection) statefully at 100Mbps doesn't require much hardware. Even little Soekris boxes (embedded 486 133MHz) can do that.

      For Gbps, the limiting factor is the NIC and its driver. Some cards/drivers are reported to reach more than 70% of the maximum throughput. The reason they don't (yet) go further is not packet filtering, though.

      If you want specific names/models, the mailing list archives contain the reports.

    • Re:I wonder... (Score:5, Informative)

      by hdw ( 564237 ) on Tuesday March 30, 2004 @03:23PM (#8717364)
      I'm running an OpenBSD 3.4 firewall on a PII-400 with a 100Mb/s Internet feed.

      And I know that I've reached over 40Mb/s without any sign of problem with the firewall.

      So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.

      I think the selecting a good NIC is more important. // hdw
      • I wonder how a "little" p2 can filter 40MB/s of packets. when it seems like the same p2 will bog down in other stuff (im not talking about a gui)

        can you explain this?

        • Re:I wonder... (Score:5, Insightful)

          by Homology ( 639438 ) on Tuesday March 30, 2004 @05:54PM (#8719127)
          I wonder how a "little" p2 can filter 40MB/s of packets. when it seems like the same p2 will bog down in other stuff (im not talking about a gui)

          can you explain this?

          The grandparent wrote 40Mb/s, like in 40 mega bit, and a PII can handle this. However, you should have a good NIC and not one of those pisspor Realtek that offloads the work to the CPU.

        • Re:I wonder... (Score:2, Interesting)

          by hdw ( 564237 )
          yup, I can.

          First of all, I said Mb, not MB, call me conservative but I'm used to count bandwidth in bits, not bytes.

          Second, as I stated, check your NIC and the drivers.
          It means a lot when it comes to network handling.

          (I remember how out old VAX 11/785 reacted when it shared an non-switched net with 2 sparc servers, the poor VAX was down on it's knees just by trying to ignore the traffic :)).

          And as a wider note, the performance of a system isn't only down to processor speed. There's tons of parameters, b
  • Mailto link? (Score:1, Offtopic)

    by duffbeer703 ( 177751 ) *
    Why would a /. editor include a mailto link to an OpenBSD developer in a story?

    The poor bastard is going to be flooded with spam ad crap now.
    • Re:Mailto link? (Score:5, Insightful)

      by dhartmei ( 664843 ) <> on Tuesday March 30, 2004 @03:11PM (#8717190) Homepage Journal addresses are already readily available for harvesters through cvsweb, mailing list archives and usenet gates, putting one in a /. posting couldn't make things any worse.

      The upside is that after a certain amount of spam received, people get really good at filtering it. That's where the motivation behind some of the anti-spam features in OpenBSD comes from, I guess :)

      • I'd say they come mainly from Theo wanting them due to all the fan mail he receives ;P
      • Maybe that caution in the spam-armour munging should be taken into account, hm? After all, if you spam the developers, they'll have brand new samples with which to test their anti-spam routines... get THEM fed up with spam and they're right at the source! Larger projects would take a little longer to have that effect(though, since nobody in their right mind likes spam, those larger projects have more people to work on it, too; that could be seen as good or bad, depending).

        Spam an ordinary person until they
  • Sad. (Score:5, Insightful)

    by MisterP ( 156738 ) * on Tuesday March 30, 2004 @05:13PM (#8718621)
    It's kinda of sad that something this cool gets so little discussion on a site like Slashdot. I guess it will be news when CARP gets ported to linux and iptables gets ip state sync'ing across hosts.

  • by harikiri ( 211017 ) on Tuesday March 30, 2004 @10:12PM (#8721426)
    ...and this looks really attractive to me. Our environment comprises of Nokia IPSO-based firewalls running Checkpoint, so I'm very familiar with VRRP.

    However, as excellent as this looks, I can only shudder in horror at the thought of migrating any of our existing rulesets across to openbsd/pf, let alone distributed management of policies across several 'clusters' of firewalls we have.

    Yes my friends. I'm asking for a GUI. FW Builder [] is a good start, but it still needs work (porting to Windows would be a good start). Migration tools from Checkpoint (or other commercial firewalls) would be another good addition.

    PS, I ask for Windows support not for my sake, but so that my co-workers would be able to use it. However, this criticism is levelled at FW Builder.

    OpenBSD/pf/CARP has provided a brilliant technical starting block, but it needs these additional tools to make inroads into enterprise organisations.

    • by ^BR ( 37824 ) on Wednesday March 31, 2004 @12:45PM (#8726091)

      Cisco PIXes are configured the old way thru SSH (ok, there's a Web interface, never heard of anyone using it) and they sell pretty well. Cisco do have a (laughable) management solution that includes a GUI but almost nobody use it as it plain sucks (simply installing it is a nightmare, plen,ty of dependencies...). The nice thing is that it provides a nice market for third party solutions to do that job...

      So having a GUI is not a prerequisite for enterprise acceptance. Even if being Cisco sure helps...

      • I configure PIX's all day long and I love the simplicity of a PIX config file. That said, Cisco has been losing market share for years because they don't have a GUI. Ever try to set up a ton of VPN's through the command line? Doable? Certainly. Fun? Not a chance.

      • Cisco PIX's GUI interface is actually very user friendly. It's a big improvement especially for Day to day administration.
    • If you want to run FWBuilder on Windows, install Cygwin/X. SSH to the firewall (with X11 forwarding turned on) and you are in business. I bet you could set this up with keys etc to the point that you could double click an icon on the Windows desktop and Firewall Builder would display in the Cygwin/X window.
  • by chrysalis ( 50680 ) on Wednesday March 31, 2004 @05:27AM (#8723519) Homepage
    Try UCARP [] a portable userland implementation.

    • However there is no pfsync (or similair) for netfilter (if you'd like to have failover-firewalls).

      But supposedly it doesn't matter, because netfilter doesn't have TCP window tracking.

      And because existing connections are considered new by netfilter, it should work in theory (if you allow new connections, for all the established-connections).

      Balancing won't work however, because UCARP doesn't do that, if I understand it correctly.

      As there is no replication, rules should be replicated an other way (somethi
  • by RupertJ ( 520598 ) on Wednesday March 31, 2004 @08:28AM (#8724084)
    In keeping with OpenBSD's promo songs, the 3.5 release features a Monty Python-style sketch and song about CARP/pf and VRRP etc. Very funny stuff indeed. Lyrics and links to download the songs in MP3/OGG format at []
  • by dhartmei ( 664843 ) <> on Wednesday April 07, 2004 @08:11AM (#8790764) Homepage Journal
    Jeremy Andrews from has just published an Interview with Ryan McBride [], which makes for an excellent read on CARP and pfsync.

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre